In case you need a reminder that trojans can still appear on the iOS or Android app stores, a new one has been discovered by the researchers at Kaspersky Lab. Published on Thursday, Kaspersky's latest report discusses the details of a Russian app called "Find and Call." This first looked like an SMS worm, but was later discovered to be a trojan that uploads users' contact lists to a remote server. Once the contact lists are uploaded, the server will send out SMS spam—claiming to be from the victim—to the phone numbers on the list with a URL to the app, helping to spread itself across iOS and Android devices alike.

When downloaded, Find and Call asks the user to sign in with an e-mail address and cell phone number. Kaspersky points out that neither field is checked for validity before moving forward. The user is then asked if he or she wants to "find friends in a phone book"—if the user agrees, the app uploads the device's address book data in the background without notifying the user or even indicating that anything is happening at all. Every single person in the contact list will receive the SMS spam, but it won't look like spam from the receiver's end.

"[T]he ‘from’ field contains the user’s cell phone number," wrote Kaspersky Lab researcher Denis Maslennikov. "In other words, people will receive an SMS spam message from a trusted source."

Find and Call can no longer be found on the iOS App Store on our end, though Kaspersky (and several other publications) claim it's still searchable for some users. The discovery is significant because it's the first time a truly malicious app has made its way through Apple's approval process. (Kaspersky points out that the malware in the Google Play Android store is "nothing new"). An app that exploited an iOS security flaw did make it through Apple's approval process once before, but it was a proof-of-concept app written by renowned security researcher Charlie Miller.

Apple ended up yanking Miller's developer credentials, but what happened to Miller means nothing to malicious attackers looking for an easy way to exploit users. And Find and Call takes advantage of user trust in the same manner as other, non-malicious apps when it comes to uploading user info in the background. Social networking app Path came under fire for this behavior in February, and a slew of other apps—Foursquare, Instagram, Facebook, Twitter, Voxer, Hipster, LinkedIn, Gowalla, Foodspotting, Angry Birds, and Cut the Rope, to name a few—were also found to be sending some or all of a user's address book data to remote servers.

Apple responded to the Path controversy by saying it planned to update iOS so that apps that want to upload user data would be forced to ask for explicit consent. "We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release," Apple spokesperson Tom Neumayr told All Things D in February. That release has not yet come down the pipeline to end users, though, leaving us regular users open to potential attacks like the one being spread via Find and Call. And even though Find and Call can no longer be found on the App Store, it's a sign of things to come—especially before Apple is able to issue such an OS update.

Kaspersky acknowledges that Find and Call may not overtly brick someone's smartphone or steal money from users just yet—the website for the app does ask users for their social networking logins and PayPal account passwords, though. The larger picture is that as both iOS and Android continue to grow in popularity, they will increasingly find themselves the targets of similar data-stealing attacks.

"Yes, these pieces of malware are not that ‘cybercriminalistic.’ But malware is malware and in this case it steals user’s phone book and uses it for SMS spam," Maslennikov wrote. "And we’re sure that there must be strict and quick response to such incidents. Period."